Weaknesses in a popular brand of light system controlled by computers and smartphones can be exploited by attackers to cause blackouts that are remedied only by removing the wireless device that receives the commands, a security researcher said.

The vulnerabilities in the Hue LED lighting system made by Philips are another example of the risks posed by connecting thermostats, door locks, and other everyday devices to the Internet so they can be controlled by someone in the next room or across town. While the so-called Internet of Things phenomenon brings convenience and new capabilities to gadgets, they come at a cost. Namely, they're susceptible to the same kinds of hack attacks that have plagued computer users for decades. The ability to load a Web page that causes house or office lights to go black could pose risks that go well beyond the typical computer threat.

"Lighting is critical to physical security," Nitesh Dhanjani, the researcher who discovered the weaknesses and developed proof-of-concept attacks that exploit them, wrote in a blog post published Tuesday. "Smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences."

The most serious vulnerability Dhanjani uncovered was the weak authentication system the Philips wireless controller uses to receive commands from trusted smartphones and computers. It consists of a security token containing the device's unique media access control identifier that has been cryptographically hashed using a known algorithm. These hardware addresses are trivial to detect by anyone on the same network or often by people within radio range of a device, making them unsuitable for authentication. It's tantamount to using a hashed street address as the combination to lock a front door.

Dhanjani's exploit arrives in Java code that can be delivered when browsing compromised websites or websites dedicated to serving attack pages. It combs through the address resolution protocol cache of a local network to find all connected devices. The exploit then runs the MAC address of each discovered device through the MD5 hash algorithm and includes the output in a security token used to send commands to the light controller. If a command is successfully executed, the exploit will repeat the successful command over and over. If a command doesn't succeed, the malware will register a new token every second or so using a different MAC address until a valid one is found.

The Philips system, which Ars has reviewedin detailbefore, allows people to use smartphones or computers connected to the Internet or local networks to turn lights on and off and control the color of ambient lighting. The video below demonstrates how the vulnerability can be exploited to create a blackout that lasts as long as the lights are connected to the wireless control bridge. Even disabling the smartphone or computer the exploit abuses to take control of the system may not be enough to turn the lights back on if there are other devices on the network that have already been authenticated.

My favorite video

While Dhanjani's proof-of-concept code is rudimentary, it's not outside the ability of a determined attacker to write more sophisticated code that could exploit the vulnerability in large numbers of light controllers all at once.

"Imagine the power of a remote botnet system being able to simultaneously cause a perpetual blackout of millions of consumer lightbulbs," Dhanjani wrote in a more detailed analysis. "As consumer [Internet of Things] devices permeate homes and offices, this scenario is increasingly likely in the near future."

The researcher said he attempted to contact Philips representatives privately to notify them of the vulnerabilities he found in their product, but the best he was able to do was exchange a few messages over Twitter. The inability of a white-hat hacker to report defects like these is the biggest concern consumers should have. If Philips or any other company wants to offer products that act like Internet-connected hardware or services, they should first establish the kind of secure development programs in place at Microsoft, Apple, and Google. That way, people who buy these new devices won't be subject to the kinds of attacks that targeted users of Windows XP a decade ago.

"It is important that Philips and other consumer [Internet of Things] organizations take issues like these seriously," Dhanjani wrote. "In the age of malware and powerful botnets, it is vital that people's homes be secure from vulnerabilities like these that can cause physical consequences."

Update:

In an interview on Wednesday, George Yianni, head of technology for connected lighting at Philips, told Ars the Hue lighting system was intentionally designed to grant access to any device connected to a user's home network. Company designers went about doing this by using security tokens that are generated without requiring a user to take press a special authentication button on the wireless bridge of the system.

"We've made the choice to make this token someting which any app that runs on your phone can also generate," Yianni said. "People have 20 different Hue apps on their phone and we wanted to have these apps be able to share the same security tokiens with each other so the user would not have to go an press the button on the bridge every single time he installs an app."

Yianni also said the company is going to make it easier for researchers to privately report security vulnerabilities.

Promoted Comments

Fun toy except for the fact they'll never fix the security problems. EVER. Because they don't really have anyone working on the apps. They are stagnant. The iOS version has the most features. The Android is half assed. And the "Web portal" version is probably the worst way to control it because you have to call outside to Phillips and it has to tunnel its way back into the office.

This is why I am loathe to trust any consumer electronics company to correctly handle complex computer-related products. They all have the mentality that, once a product ships, it's "done", and they move on to the next thing. The idea of continuing support is alien to them. Stuff like this is simply out of their league. You also see similar lack of support with various other "smart" home products like DVD players, A/V receivers, etc.

Lee Hutchinson would comment on this article, but he's trying to figure out why his house is so dark right now...

This vulnerability is interrupting my Hue Rave.

I'm not terribly worried about this, since it explicitly relies on the victim first visiting a web site that hits him/her with a drive-by payload delivered via a Java exploit. In other words, folks who continue to do the smart thing and not have anything to do with Java on their desktops should continue to be fine.

I use scripts almost exclusively when I'm controlling my lights; once the payload is delivered, it looks like it works mostly the same way using the same method—an API call to the bridge to set all lights to state off.

The Hue bridge does rate limit requests, but they're pretty high limits over a short period of time (like 30 calls in 1 second or something—I'd have to look to verify, but it's very short); judging by the parts of the video where the lights briefly flick on and then off, the API calls delivered by the attack script are timed to fall outside the rate limiting. Philips could easily fix this with a Hue firmware update to expand the rate limiting to block out more than N API calls from any host within M seconds.

So, no, not even remotely worried about this. As a commentary on the inherent problems with the "internet of things" it's a valid concern; but this particular problem is a non-issue because it relies on a Java vulnerability to give an attacker the ability to execute arbitrary code on a victim's computer.

I'm going to respectfully disagree with Lee here. It's pretty specious to say this vulnerability is a non-issue because the PoC exploit, which this researcher threw together quickly, used Java. Exploits only get better over time. What's to prevent an exploit developer from using JavaScript or some other language in the future? As long as these lights use MAC addresses as a the secret used in the authentication process you're at risk. People who are savvy enough to avoid Java may not be susceptible to this particular exploit. That is,the one we know about because it was written by a white hat hacker who published the code. But I think it's naive to believe the vulnerability is a non issue and that with additional work it can't be exploited in a much more potent and nefarious way.

Phillips consumer products division living a state of denial, "Oh nobody will do that to our product". Same old shit that infected the industrial process and control marketplace. Here we go again. I hope hospitals and other likewise "secured environments" do not implement Internet controlled/connected devices.

Probably the best thing that can be done is to email all hospital admin departs (and the IT guys as well) this posting.

By telling every hacker idiot in the world how to attack it before even giving Phillips a chance to fix it?

Quote:

The researcher said he attempted to contact Philips representatives privately to notify them of the vulnerabilities he found in their product, but the best he was able to do was exchange a few messages over Twitter. The inability of a white-hat hacker to report defects like these is the biggest concern consumers should have.

Fun toy except for the fact they'll never fix the security problems. EVER. Because they don't really have anyone working on the apps. They are stagnant. The iOS version has the most features. The Android is half assed. And the "Web portal" version is probably the worst way to control it because you have to call outside to Phillips and it has to tunnel its way back into the office.

Wait: Phillips used the MD5 has of the MAC address as a 'secure' key? Start with 48 whole bits of hardcore security (if you don't count the OUI, trivially guessable under many circumstances), explicitly designed to be spewed all over the place during the routine course of networked communication, then squeeze it down with a relatively ancient and computationally inexpensive digest alorithm, and nothing else?

I dread to think what horrible surprises lurk elsewhere in their design.

Oh dear god, this means I could be in the middle of my "sexy time" lighting scenario and then all the lights go out.

I still like my Hue lights and plan to get some of the new spotlight ones. Even if they never add security (known key hashed with broken algorithm ain't security). It would be nice if they upgrade to scrypt with an actual secret though. Even if they only have a single dev slaving away in a lightbulb sweatshop in Holland this will probably happen sooner or later.

From the blog: "I'd like to highlight a particular vulnerability that can be used by malware on an infected machine on the user's internal network to cause a sustained blackout." Hackers would need to get into my WiFi subnet as I do not plan on remote controlling my lights any other way. After that, they need to compromise a machine on my network. I am ok with needing to keep my computers secure.

Next time you're about to have surgery, only to be kept alive by a Philips ventilator connected to the net for monitoring, be sure to remember your joke about Rumbas killing cats, 'cause it'll be even funnier then!

Of all the things in life to worry about in our lives, this comes right after a dull fingernail clipper.

Arguably, some perspective makes it worse:

Does the state of all 4 novelty lightbulbs that your household could afford at Phillips' current prices matter much? No, not really. Is the Phillips lightbulb controller a full, ethernet-connected, embedded computer, with a security architecture apparently designed by people who couldn't be trusted with safety scissors? Yes, apparently it is.

An unpredictable lightbulb is a minor and highly visible problem. Not a dangerous one. A silently compromised host on your LAN, though, is all kinds of trouble. Computers, by default, are rather chatty and trusting when on a trusted network. Having yet another half-assed embedded system (with enough power to be dangerous; but not enough to run an OS that gets updates from somebody competent) is not a good thing.

These new fangled door locks are cool. They pose multiple problems of course. Imagine then door lock doesn't unlock whenever a neighbor is running their microwave. I can see this in an upcoming scary movie now...

Next time you're about to have surgery, only to be kept alive by a Philips ventilator connected to the net for monitoring, be sure to remember your joke about Rumbas killing cats, 'cause it'll be even funnier then!

I see. So basically you're comparing a critical life-support function in the ISS to the lighter on your barbecue?

Nope, nothing about a barbecue lighter.

For someone who seems proud of their imagination, you don't seem to want to use it. I googled "Philips medical hacks" and came up with this in the first hit:

These new fangled door locks are cool. They pose multiple problems of course. Imagine then door lock doesn't unlock whenever a neighbor is running their microwave. I can see this in an upcoming scary movie now...

There are certain things that don't need to be connected to the Internet. Door locks are at the top of that list! Duh!!

I know there are a lot of tech whack-jobs that would love to see everything (up to and including suppositories) that have direct Internet access -and frankly it's insane!

Why the hell would I need to know from work whether or not the toilet has flushed?!? This is the level of absurdity which people are worried about! You want security? Keep all your damn appliances off the Internet! If you don't, and somebody hacks your garbage disposal in the middle of the night, don't complain!

Next time you're about to have surgery, only to be kept alive by a Philips ventilator connected to the net for monitoring, be sure to remember your joke about Rumbas killing cats, 'cause it'll be even funnier then!

I see. So basically you're comparing a critical life-support function in the ISS to the lighter on your barbecue?

You don't seem to be getting his point, which is that if Philips makes it easy enough to hack one of its appliances it's pretty likely that any appliance will be vulnerable, given the fact that they aren't very concerned about security.

I believe the owner of the lights was "hacked" when they bought them. How ridiculous it is to spend over $100 for a light bulb! It would cost a manufacturer $5 or less to create a wifi controlled plug for a light bulb. The people who bought these are reckless with their money, why should anyone expect them to be intelligent with security?

I believe the owner of the lights was "hacked" when they bought them. How ridiculous it is to spend over $100 for a light bulb! It would cost a manufacturer $5 or less to create a wifi controlled plug for a light bulb. The people who bought these are reckless with their money, why should anyone expect them to be intelligent with security?

It's a hysteria mentality.Frankly I don't blame them. We now have the NSA to worry about…And… Wait for it… "They have the technology!!"

Sorry, Ray Chen's air-tight hatchway metaphor applies to this. If someone has compromised your phone or computer, having a few lights turned off or set to annoying colors is the least of your problems.

By telling every hacker idiot in the world how to attack it before even giving Phillips a chance to fix it?

Quote:

The researcher said he attempted to contact Philips representatives privately to notify them of the vulnerabilities he found in their product, but the best he was able to do was exchange a few messages over Twitter. The inability of a white-hat hacker to report defects like these is the biggest concern consumers should have.

As a 3rd party app developer for the Hue, I've found direct email communication with Philips to be futile, but their online community is a decent place for conversation with actual Philips Hue developers

Why do people even bother with smart lighting systems? The cost to run LED lights seems like it'd not warrant a computer system to control those lights.

Smart home lighting is still too expensive for most, but some people really value the ability to: 1) Adjust their lighting brightness while in bed or on the couch.2) Set lighting alarms convienetly like their normal alarm clock app3) Change the color of their lights to wake up in the morning, prepare for bed, or just set the mood at a social event